Palo Alto

This configuration was validated using a PA-500 running PanOS version 6.0.6.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#}

Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.

Example value: 129.146.12.52

${sharedSecret#}

The IPSec IKE pre-shared-key. There is one value for each tunnel.

Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpeInterfaceName}

The name of the CPE interface where the CPE IP address is configured.

Example Value: ethernet1/1

${VcnCidrBlock}

When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.

Example Value: 10.0.0.0/20

Parameters Discovered from CPE Configuration

The following parameters are based on your current CPE configuration.

${tunnelUnit#}

Each tunnel needs a unit number that identifies that tunnel.

Example: 10, where 10 is the tunnelUnit for interface tunnel.10

${oracleSecurityZoneName}

The tunnels need to be placed inside a security zone that defines their access profile.

Example: "Oracle Cloud Infrastructure"

Note: The value must be enclosed in quotation marks.

${CpeVirtualRouterName}

The tunnels terminate into a virtual router in the Palo Alto. You can either terminate them into an existing virtual router, or configure a new virtual router.

Example Value: Oracle-virtual-router

ISAKMP Policy Options

Parameter

Recommended Value

ISAKMP protocol version

Version 1

Exchange type

Main mode

Authentication method

Pre-shared keys

Encryption

AES-256-cbc

Authentication algorithm

SHA-384

Diffie-Hellman Group

Group 5

IKE session key lifetime

28800 seconds (8 hours)

IPSec Policy Options

Parameter

Recommended Value

IPSec protocol

ESP, tunnel-mode

Encryption

AES-256-cbc

Authentication algorithm

HMAC-SHA1-96

Diffie-Hellman Group

Group 5

Perfect Forward Secrecy

Enabled

IPSec session key lifetime

3600 seconds (1 hour)

Security Parameter Index

The values for the Security Parameter Index (SPI) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct SPI values to use, see Route-Based Versus Policy-Based IPSec.